|
|
基于特殊字符间距的Honeyword生成机制
|
Abstract:
Honeyword可以用于提升口令存储的安全性,并能够及时检测口令数据集的泄漏。然而,当前的honeyword生成机制依然存在安全性较弱、占用存储空间过大等问题。为此,本文提出了基于特殊字符间距的虚拟honeyword生成机制。分析结果显示该方案可以显著地减少存储空间开销,并提升安全性和口令集泄漏被检测的概率。
Honeyword can be used to improve password storage security, and timely detect password data set disclosure. Nevertheless, existing honeyword generation schemes are of low security, and require large storage overhead. In this paper, we propose a virtual honeyword generation method based on special character distance. Additionally, our analysis shows that the proposed scheme can dramatically reduce the storage cost, and improve the security and detection probability of password.
| [1] | Hackett, R. (2017) Yahoo Raises Breach Estimate to Full 3 Billion Accounts, by far Biggest Known. http://fortune.com/2017/10/03/yahoo-breach-mail/ |
| [2] | Heim, P. (2016) Resetting Passwords to Keep Your Files Safe. https://blogs.dropbox.com/dropbox/2016/08/resetting-passwords-to-keep-your-files-safe/ |
| [3] | Ragan, S. (2016) Weebly Data Breach Affects 43 Million Customers. http://bit.ly/2kP4EA2 |
| [4] | Weir, C. (2016) Cracking the Myspace List-First Impressions. http://reusablesec.blogspot.kr/2016/07 /cracking-myspace-list-first-impressions.html |
| [5] | Contributors, W. (2012) 2012 Linkedin Hack. https://en.wikipedia.org/w/index.php?title=2012_LinkedIn_hack&oldid=722095159 |
| [6] | Khandelwal, S. (2014) Hacking Any Ebay Account in Just 1 Minute. https://thehackernews.com/2014/09/hacking-ebay-accounts.html |
| [7] | Schneier, B. (2013) Cryptographic Blunders Revealed by Adobe’s Password Leak. https://www.schneier.com/blog/archives/2013/11/cryptographic_b.html |
| [8] | Brown, K. (2013) The Dangers of Weak Hashes. SANS Institute InfoSec Reading Room, MD, 1-22. |
| [9] | Weir, M., Aggarwal, S., De Medeiros, B. and Glodek, B. (2009) Password Cracking Using Probabilistic Context-Free Grammars. 2009 30th IEEE Symposium on Security and Privacy, Berkeley, CA, 17-20 May 2009, 391-405. https://doi.org/10.1109/SP.2009.8 |
| [10] | Wang, X. and Yu, H. (2005) How to Break md5 and Other Hash Functions. Annual International Conference on the Theory and Applications of Cryptographic Techniques. In: Cramer, R., Ed., Advances in Cryptology-EUROCRYPT 2005. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, 19-35. https://doi.org/10.1007/11426639_2 |
| [11] | Enterprise, V. (2016) 2016 Data Breach Investigations Report. Verizon En-terprise. http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf |
| [12] | Almeshekah, M.H., Spafford, E.H. and Atallah, M.J. (2013) Improving Security Using Deception. Center for Education and Research Information Assurance and Security. Purdue University, ?West Lafayette, IN. |
| [13] | Herley, C. and Florêncio, D. (2008) Protecting Financial Institutions from Brute-Force Attacks. IFIP International Information Security Conference. In: Jajodia, S., Samarati, P. and Cimato, S., Eds., Proceedings of The Ifip Tc 11 23rd International Information Security Conference. IFIP-The International Federation for Information Processing, Springer, Boston, MA, 681-685. https://doi.org/10.1007/978-0-387-09699-5_45 |
| [14] | Bojinov, H., Bursztein, E., Boyen, X. and Boneh, D. (2010) Kamouflage: Loss-Resistant Password Management. In: Gritzalis, D., Preneel, B. and Theoharidou, M., Eds., Computer Security-ESORICS 2010. Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, 286-302. https://doi.org/10.1007/978-3-642-15497-3_18 |
| [15] | Juels, A. and Rivest, R.L. (2013) Honeywords: Making Password-Cracking Detectable. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, ACM, New York, 145-160. https://doi.org/10.1145/2508859.2516671 |
| [16] | Erguler, I. (2016) Achieving Flatness: Selecting the Honeywords from Existing User Passwords. IEEE Transactions on Dependable and Secure Computing, 13, 284-295. https://doi.org/10.1109/TDSC.2015.2406707 |
| [17] | Burnett, M. (2011) 10,000 Top Passwords. https://xato.net/passwords/more-top-worst-passwords |
| [18] | Kwon, T., Shin, S. and Na, S. (2014) Covert Attentional Shoulder Surfing: Human Adversaries Are More Powerful than Expected. IEEE Transactions on Systems, Man, and Cybernetics: Systems, 44, 716-727. https://doi.org/10.1109/TSMC.2013.2270227 |
| [19] | Shen, C., Yu, T., Xu, H., Yang, G. and Guan, X. (2016) User Practice in Password Security: An Empirical Study of Real-Life Passwords in the Wild. Computers & Security, 61, 130-141. https://doi.org/10.1016/j.cose.2016.05.007 |
| [20] | ASA X3.4-1963 (1963) American Standard Code for Information Interchange. American Standards Association. |
